The Alert Logic® network intrusion detection system (IDS) assignment policy functionality has an option to "restrict network" by specifying a subnet mask. The purpose of the restrict network functionality is to limit networks and IP addresses used by an agent to connect to an appliance.
Reasons to Use the Restrict Network Option
Appliances and hosts running an agent may belong to multiple networks, and therefore will have multiple IP addresses. When an agent is assigned to an appliance, it will get a list of all IP addresses that the appliance has and will randomly choose one to use to connect to the appliance. If the address that is selected is on a network that the agent is not on, the agent will not be able to connect to the appliance. Therefore, it may be necessary for the agent to use one network to connect to its appliance rather than another.
By specifying or restricting the subnet, the user has control over which address the agent will use to connect to the appliance. Without the restrict network option, the agent will randomly select an address and the appliance may not be accessible by that address for that host.
Further, the restrict network option allows the traffic captured by the agent to be sent back to the appliance on a specific interface. This could be used to prevent the captured traffic from using bandwidth on the main network interfaces.
Enabling the Restrict Network Option
If you would like to enable the restrict network option on your Alert Logic appliance, complete the following steps:
- In the Alert Logic console, click Configuration in the main menu.
- Click Network IDS in the sub-menu.
- Click Policies in the side bar.
- Click Assignment in the list of tabs in the middle of the page.
- Click on the pencil icon to the far right of the appliance that you'd like to apply the restrict network option to.
- Check the Restrict Network box.
- Click Save.